Cybersecurity researchers have disclosed particulars of a number of critical-severity security flaws affecting Coolify, an open-source, self-hosting platform, that would lead to authentication bypass and distant code execution.
The checklist of vulnerabilities is as follows –
- CVE-2025-66209 (CVSS rating: 10.0) – A command injection vulnerability within the database backup performance permits any authenticated consumer with database backup permissions to execute arbitrary instructions on the host server, leading to container escape and full server compromise
- CVE-2025-66210 (CVSS rating: 10.0) – An authenticated command injection vulnerability within the database import performance permits attackers to execute arbitrary instructions on managed servers, resulting in full infrastructure compromise
- CVE-2025-66211 (CVSS rating: 10.0) – A command injection vulnerability within the PostgreSQL init script administration permits authenticated customers with database permissions to execute arbitrary instructions as root on the server
- CVE-2025-66212 (CVSS rating: 10.0) – An authenticated command injection vulnerability within the Dynamic Proxy Configuration performance permits customers with server administration permissions to execute arbitrary instructions as root on managed servers
- CVE-2025-66213 (CVSS rating: 10.0) – An authenticated command injection vulnerability within the File Storage Listing Mount performance permits customers with software/service administration permissions to execute arbitrary instructions as root on managed servers
- CVE-2025-64419 (CVSS rating: 9.7) – A command injection vulnerability through docker-compose.yaml that permits attackers to execute arbitrary system instructions as root on the Coolify occasion
- CVE-2025-64420 (CVSS rating: 10.0) – An data disclosure vulnerability that enables low-privileged customers to view the personal key of the basis consumer on the Coolify occasion, permitting them to achieve unauthorized entry to the server through SSH and authenticate as the basis consumer utilizing the important thing
- CVE-2025-64424 (CVSS rating: 9.4) – A command injection vulnerability was discovered within the git supply enter fields of a useful resource, permitting a low-privileged consumer (member) to execute system instructions as root on the Coolify occasion
- CVE-2025-59156 (CVSS rating: 9.4) – An working system command injection vulnerability that enables a low-privileged consumer to inject arbitrary Docker Compose directives and obtain root-level command execution on the underlying host
- CVE-2025-59157 (CVSS rating: 10.0) – An working system command injection vulnerability that enables a daily consumer to inject arbitrary shell instructions that execute on the underlying server through the use of the Git Repository subject throughout deployment
- CVE-2025-59158 (CVSS rating: 9.4) – An improper encoding or escaping of the information that enables an authenticated consumer with low privileges to conduct a saved cross-site scripting (XSS) assault throughout venture creation that is routinely executed within the browser context when an administrator later makes an attempt to delete the venture or its related useful resource
The next variations are impacted by the shortcomings –
- CVE-2025-66209, CVE-2025-66210, CVE-2025-66211 – <= 4.0.0-beta.448 (Mounted in >= 4.0.0-beta.451)
- CVE-2025-66212, CVE-2025-66213 – <= 4.0.0-beta.450 (Mounted in >= 4.0.0-beta.451)
- CVE-2025-64419 – < 4.0.0-beta.436 (Mounted in >= 4.0.0-beta.445)
- CVE-2025-64420, CVE-2025-64424 – <= 4.0.0-beta.434 (Repair standing unclear)
- CVE-2025-59156, CVE-2025-59157, CVE-2025-59158 – <= 4.0.0-beta.420.6 (Mounted in 4.0.0-beta.420.7)
 |
| Supply: Censys |
In keeping with knowledge from assault floor administration platform Censys, there are about 52,890 uncovered Coolify hosts as of January 8, 2026, with most of them situated in Germany (15,000), the U.S. (9,800), France (8,000), Brazil (4,200), and Finland (3,400)
Whereas there aren’t any indications that any of the issues have been exploited within the wild, it is important that customers transfer shortly to use the fixes as quickly as attainable in mild of their severity.
